Tag Archives: scientific linux

Disable the filesystem check (fsck) at boot time

There’s several ways of accomplishing this. I will list all the methods beneath, just pick the one that fits the situation/you.

  • Filesystem tunable
  • Grub boot parameter
  • Placing command files on your root device
  • Active reboot without FSCK

Filesystem tunable

Use the tune2fs command to tell your filesystem to have a max count of mounts before a check to 0 to disable it.

# tune2fs -c 0 /dev/sda1

Parameter reference:

-c max-mount-counts
 Adjust the number of mounts after which the filesystem will be  checked  by  e2fsck(8).   If max-mount-counts  is  0  or -1, the number of times the filesystem is mounted will be disregarded by e2fsck(8) and the kernel.

Grub boot parameter

Add the following at the end of your grub boot linux line.

fastboot

This can be done by editing “grub.conf” or by editing the boot command via the grub menu at boot.

Placing command files on your root device

To disable the filesystem check on boot.

# touch /fastboot

To enable a filesystem check on boot.

# touch /forcefsck

Active reboot without FSCK

# shutdown -rf

Parameter reference:

-r     Reboot after shutdown.
-f     Skip fsck on reboot.

// CrashMAG

Linux ACL

An access control list (ACL), with respect to a computer file system, is a list of permissions attached to an object. ACL allows you to grant or deny permissions for any user or group on a filesystem resource.

Enabling ACL

To enable ACL, edit your /etc/fstab file as such:

/dev/VolGroup00/LogVol00 /                       ext3    defaults,acl        1 1

Note: Moderm Redhat distributions enable ACL by default for the root filesystem.

Set ACL

To modify ACL use setfacl command. To add permissions use setfacl -m.

Add permissions to some user:

# setfacl -m "u:username:permissions"

or

# setfacl -m "u:uid:permissions"

Add permissions to some group:

# setfacl -m "g:groupname:permissions"

or

# setfacl -m "g:gid:permissions"

Add default ACL:

# setfacl -d -m "u:uid:permissions"

Remove all permissions:

# setfacl -b

Remove each entry:

# setfacl -x "entry"

To check permissions use:

# getfacl filename

Examples

Set read,write and execute permissions for user “johndoe” on the file named “abc”.

# setfacl -m "u:johndoe:rwx" abc

Check permissions.

# getfacl abc
# file: abc
# owner: someone
# group: someone
user::rw-
user:johny:rwx
group::r--
mask::rwx
other::r--

Change permissions for user “johndoe”.

# setfacl -m "u:johndoe:rw-" abc

Check permissions.

# getfacl abc
# file: abc
# owner: someone
# group: someone
user::rw-
user:johndoe:rw-
group::r--
mask::r-x
other::r--

Remove all extended ACL entries.

# setfacl -b abc

Check permissions.

# getfacl abc
# file: abc
# owner: someone
# group: someone
user::rw-
group::r--
other::r--

Additional Resources

man getfacl
man setfacl

If you weren’t using these already, you should.

// CrashMAG

Change the default SSH port and alter SELinux context to match

Security through obscurity is not something one would generally recommend. But to thwart the effort of automated scanners changing the default OpenSSH port will yield you less pain in every day life. This will not fend off directed attacks or nullify vulnerabilities or bad security design.

Should you see an error message such as

shd[14221]: error: Bind to port 9898 on 192.168.0.50 failed: Permission denied

it indicates that the system prevented the daemon to bind that port. Most likely SELinux.

The instructions provided will be valid on Fedora 14/15, CentOS 6, RHEL 6, Scientific Linux 6 and newer versions.

To change the default SSH port you need to do the following.

  • Stop the SSH daemon
  • Alter the /etc/ssh/sshd_config with your new port
  • Alter the SELinux context with semanage
  • Start the SSH daemon

Stop the SSH daemon

# service sshd stop

Alter the /etc/ssh/sshd_config with your new port

Alter the configuration file with your favorite editor, in my case “nano”.

# nano /etc/ssh/sshd_config

Alter the port configuration parameter change the following line

Port 22

to

Port 9898

Alter the SELinux context with semanage

# semanage port -a -t ssh_port_t -p tcp 9898

Initially you would think the following would work. But it will not. For it to work you would have to alter the policy in the selinux-policy package, rebuild and install it. So skip it, but now you know why.

# semanage port -d -t ssh_port_t -p tcp 22

Start the SSH daemon

# service sshd start

// CrashMAG

Change the default MySQL data directory with SELinux enabled

This is a short article that explains how you change the default MySQL data directory and adjust SELinux to account for the changes. The article assumes that you’re running either RHEL, CentOS, Scientific Linux or Fedora with SELinux enabled. This works with the most recent EL (6.2) version.

We’ll be doing this in the following order.

  • Stopping the MySQL server
  • Create a new data directory and move the content from the old data directory
  • Correct the MySQL configuration file
  • Adjust SELinux parameters to accept our new change
  • Starting the MySQL server

Stopping the MySQL server

# service mysqld stop

Create a new data diretory and move the content from the old one

Creating a new data directory

# mkdir /srv/mysql/
# chown mysql:mysql /srv/mysql

Moving the original data files

 # mv /var/lib/mysql/* /srv/mysql/

Correct the MySQL configuration file

Edit the my.cnf file for your distribution. In my example it’s located in the /etc/mysql/ directory. RHEL/CentOS/Scientific Linux put the my.cnf file directly in /etc by default.

# nano /etc/mysql/my.cnf

Change

datadir=/var/lib/mysql

to

datadir=/srv/mysql

and

socket=/var/lib/mysql/mysql.sock

to

socket=/srv/mysql/mysql.sock

and save the file.

Adjust SELinux parameters to accept our new change

Should the following command output “Permissive” or “Disabled” then you may skip the details for SELinux.

# getenforce

Run the semanage command to add a context mapping for /srv/mysql.

# semanage fcontext -a -t mysqld_db_t "/srv/mysql(/.*)?"

Now use the restorecon command to apply this context mapping to the running system.

# restorecon -Rv /srv/mysql

Starting the MySQL server

# service mysqld start

Verifying access and connectivity

$ mysql -u root -p
mysql> show databases;

If this is working, you’re up and running. Should you get a message that says

ERROR 2002 (HY000): Can’t connect to local MySQL server through socket ‘/var/lib/mysql/mysql.sock’

then add the following to your /etc/my.cnf

[client]
socket = /srv/mysql/mysql.sock

Optionally you can just use

$ mysql -u root -p --protocol tcp

to avoid connecting via the socket.

// CrashMAG

Changing the default PostgreSQL data folder (PGDATA)

Installing the PostgreSQL server on RHEL, CentOS, Scientific Linux or Fedora installs the PostgreSQL databases and configuration files in “/var/lib/pgsql/data”.

This may or may not be desirable. Let’s assume for a moment you have a separately crafted partition for PostgreSQL to use, let’s say a RAID10 volume. You’d want to change this.

Change the defaults

Use your favorite text editor, in my case nano to create the following file (must be the same as the name of the service)

# nano /etc/sysconfig/pgsql/postgresql

Add the following

PGDATA=/postgresql/data

Optionally you can also add the following to change the default port (example is the default port)

PGPORT=5432

Adjusting SELinux to permit the new data folder (pgdata) location

Should the following command output “Permissive” or “Disabled” then you may skip the details for SELinux.

# getenforce

Run the semanage command to add a context mapping for /opt/postgresql and any other directories/files within it.

# semanage fcontext -a -t postgresql_db_t "/postgresql/data(/.*)?"

Now use the restorecon command to apply this context mapping to the running system

# restorecon -Rv /postgresql/data

Starting PostgreSQL

# chkconfig --levels 345 postgresql on
# service postgresql initdb
# service postgresql start

You’re all set to go! Keep in mind that PostgreSQL listens to ‘localhost’ by default. To change this you need to alter the “listen_address” parameter in “/var/lib/pgsql/data/postgresql.conf” (change will require restart).

// CrashMAG

Setting up sSMTP with GMail

Let me introduce you to the “extremely simple MTA to get mail off the system to a mailhub”. Particularly useful when you don’t want systems to have a full blown MTA installed. Such as Postfix, Exim or Sendmail. I find ssmtp extremely helpful on standalone servers that use Logwatch.

Getting this up and running requires 4 steps.

  • Installing SSMTP
  • Configuring SSMTP
  • Changing the MTA on your system
  • Testing

Installing the daemon, ssmtp.

Use your favorite package manager, in my example I’ll be using YUM. (Fedora/CentOS/RHEL/Scientific Linux). For Centos/RHEL/Scientific Linux 5.5 or 5.6 you need access to the EPEL repository to install sSMTP. Add EPEL to your system using the following command.

rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm

You can find eventual new links from http://download.fedora.redhat.com/pub/epel/5/i386/repoview/epel-release.html

yum install ssmtp

Configuring SSMTP

Edit /etc/ssmtp/ssmtp.conf with your favorite text editor. I’ll be using nano.

nano /etc/ssmtp/ssmtp.conf

Remove all the entries and replace it with the ones beneath.

root=insert_your_email_address here
mailhub=smtp.gmail.com:587
UseTLS=YES
UseSTARTTLS=YES
AuthUser=your_gmail_username_which_you'll_be_using_to_send
AuthPass=password

Changing the MTA

For CentOS/Fedora/RHEL

alternatives --config mta

Press the number that equals /usr/sbin/sendmail.ssmtp and you’re done.

Testing

I’m testing this using the verbose mode just to be able to see the dialogue with the Google SMTP server.

cat random_file | sendmail -v your_email_address

// CrashMAG

Managing /etc with etckeeper and git

The following was done on Fedora 14. Keep in mind that the Etckeeper and git specific actions will be similar on whatever platform you’re on.

Simply put, Etckeeper automatically revisions your /etc folder. Allows you to compare, commit and revert the changes that have been made. It’ll also allow you to restore files, should you be unlucky and delete them. Once etckeeper is installed, it will work together with your package manager and cron to do its work. To manage all this you’ll use the commands that your chosen VCS (Version Control System).

Etckeeper supports Git, Bazaar, Darcs and Mercurial.

Use of Etckeeper

Installation

yum install etckeeper

Initialization

etckeeper init

Initial commit

etckeeper commit "initial commit"

Once this is done, etckeeper will make sure that every time you use the package manager (YUM) changes will be recorded. There are however a few git related commands you should be aware of.

Useful and necessary commands

Note: All of these commands assumes your current path is /etc

Viewing the Git log

git log

Check if there’s any modified files

git status

Complete status overview

git log --stat --summary

Revert a change

git revert 

View changes you haven’t commited yet

git diff

List different commits, each on one line.

git log --pretty=oneline

Revert to latest change-set, discarding changes

git reset --hard

Re-enter commit message

git commit --amend

Have at it folks!

// CrashMAG

Correcting the eth0 MAC Address in RHEL or CentOS

Cloning machines in VMWare is really straightforward thing. However once you do clone a machine, you’ll be left with new MAC addresses for the network cards. In a typical scenario the cloned RHEL or CentOS machine will boot up without the local network interface. You’ll typically see the following during boot.

Bringing up interface eth0: Device eth0 has different MAC address than expected, ignoring.

The reason for this is that

/etc/sysconfig/network-scripts/ifcfg-eth0

contains a variable called “HWADDR=”. Do the following to add the appropriate MAC address and restore networking functionality.

  • As the root user (or a user with appropriate permissions)
  • Type “ifconfig -a”
  • From the displayed information, find eth0 (this is the default first Ethernet adapter)
  • Locate the number next to the HWaddr. This is your MAC address

A typical output would be as follows.

eth0      Link encap:Ethernet  HWaddr 00:1B:21:1F:66:88
          inet addr:192.168.0.5  Bcast:192.168.0.255  Mask:255.255.255.0
... the additional output has been removed...

Now you edit

/etc/sysconfig/network-scripts/ifcfg-eth0

and modify the “HWADDR=” variable to include your MAC address. E.g.

HWADDR=00:1B:21:1F:66:88

Save the file. At this point you run

# service network restart

as root from the command prompt. You’ve now restored networking.

// CrashMAG

Disable IPv6 lookups with Bind on RHEL or CentOS

Discovered during a recent project. Bind / Named was constantly spamming the logs about it being unable to reach root servers. The logs revealed that we were talking IPv6 addresses. Which was assumed to be disabled.

The less cool part was that in “/etc/named.conf” the following was commented out.

//      listen-on-v6 port 53 { ::1; };

It turns out that to disable the IPv6 lookups you have to edit “/etc/sysconfig/named” and set

OPTIONS="-4"

The option does the following

Use IPv4 only even if the host machine is capable of IPv6. -4 and -6 are mutually exclusive.

You then run

service named restart

This serves the very practical purpose of not spamming the logs. My ISP has yet to enable IPv6 so it does me no good.

// CrashMAG

Resetting the root password for MySQL running on RHEL or CentOS

I recently had to reset the MySQL root password due to the fact that initializing it the way I assumed it should did not work. The following procedure will work in CentOS/RHEL/Scientific Linux and Fedora.

After installing MySQL using

# yum install mysql-server

I ran the command

# mysqladmin -u root password 'new-password'

Trying to log in with the following failed

# mysql -u root -p

with the following error

Access denied for user 'root'@'localhost'

Decided to not spend more time as it’s a fresh MySQL installation. And did the following to reset the root password for MySQL.

Resetting the root password

1) Stopped the MySQL service.

# service mysqld stop

2) Started MySQL in safe mode.

# mysqld_safe --skip-grant-tables &

3) Logged in using root.

# mysql -u root

4) Reset the password.

> use mysql;
> update user set password=PASSWORD("mynewpassword") where User='root';
> flush privileges;
> quit

5) Stop MySQL in safe mode.

# service mysqld stop

6) Start MySQL.

# service mysqld start

7) Log in using the new password.

# mysql -u root -p

Success!

// CrashMAG